Permalink
Browse files

FIX Disallow permissions assign for APPLY_ROLES (SS-2013-005)

  • Loading branch information...
1 parent 8b5c8ea commit f803704d911ec2dc00b6aeecd1408f5d002a1144 @chillu chillu committed Aug 30, 2013
Showing with 17 additions and 0 deletions.
  1. +17 −0 security/PermissionCheckboxSetField.php
@@ -161,6 +161,8 @@ public function Field($properties = array()) {
$odd = 0;
$options = '';
if($this->source) {
+ $privilegedPermissions = Permission::config()->privileged_permissions;
+
// loop through all available categorized permissions and see if they're assigned for the given groups
foreach($this->source as $categoryName => $permissions) {
$options .= "<li><h5>$categoryName</h5></li>";
@@ -193,6 +195,11 @@ public function Field($properties = array()) {
$inheritMessage = ' (' . join(', ', $uninheritedCodes[$code]).')';
}
+ // Disallow modification of "privileged" permissions unless currently logged-in user is an admin
+ if(!Permission::check('ADMIN') && in_array($code, $privilegedPermissions)) {
+ $disabled = ' disabled="true"';
+ }
+
// If the field is readonly, always mark as "disabled"
if($this->readonly) $disabled = ' disabled="true"';
@@ -245,6 +252,16 @@ public function saveInto(DataObjectInterface $record) {
$fieldname = $this->name;
$managedClass = $this->managedClass;
+ // Remove all "privileged" permissions if the currently logged-in user is not an admin
+ $privilegedPermissions = Permission::config()->privileged_permissions;
+ if(!Permission::check('ADMIN')) {
+ foreach($this->value as $id => $bool) {
+ if(in_array($id, $privilegedPermissions)) {
+ unset($this->value[$id]);
+ }
+ }
+ }
+
// remove all permissions and re-add them afterwards
$permissions = $record->$fieldname();
foreach ( $permissions as $permission ) {

0 comments on commit f803704

Please sign in to comment.